Report: FBI Had Ransomware Decryption Key for Weeks Before Giving It to Victims

Kaseya ransomware attack was devastating. It affected up to 1,500 companies around the world and occurred in July. New information suggests that the FBI could have helped to lessen the damage done to victims, but they chose not.


The Washington Post has released a new report that shows that the FBI had a decryption code that could unlock the victims' data, giving them the ability to restore their businesses. The bureau, however, kept the key secret for three weeks, rather than sharing it with Kaseya, an IT company that was the target of the attack, and instead of sharing it, it kept it secret for about three weeks.

According to reports, the feds did this because they planned an operation to disrupt the hacker gang responsible for the attack. REviland, a Russian ransomware provider, didn't want to give them any tips. The FBI was unable to put their plan into motion because the gang disappeared mysteriously. Kaseya received the decryption keys from the bureau on July 21, just a week after the disappearance of the gang.

The decryption keys are usually sent only to victims after they have paid the attacker. They allow you to unencrypt data encrypted by ransomware attacks and help companies recover. They don't always work well, which is why authorities recommend that victims never pay ransoms.

How did the FBI get REvils' decryption keys? This is a very strange part. It is unclear how the government obtained access to the ransomware gang's servers, or why it was so easy for them to do this shortly after the attack.

The bureaus' aborted operation resulted in the withholding of a crucial tool that could have saved organizations from millions of dollars in recover costs. This included schools, hospitals and small businesses.

Washington Post interviewed sources who attributed this to the routine cost-benefit analysis federal agencies must do when prosecuting criminals.


We ask ourselves the following questions: What would be the worth of a key if it were disclosed? What number of victims are there? One source said that the newspaper could help those in need. What would the upside be to a longer-term operation that disrupts an ecosystem? These are the questions that we will continue to balance.

Gizmodo reached Kaseya via email Tuesday to get comment. A spokesperson for Kaseya said that they are grateful for the FBI's support and could not comment on the timing of the key release.


The FBI has not yet responded to a request for comment.

This development raises more questions than it answers, and frankly, I'm not sure if this is the right answer. It means that the government had direct access to the hackers servers, and therefore the decryption keys, almost immediately following the attack. Although the Post article does not reveal the exact date at which the bureau acquired the key, it is known that Kaseya made the first public disclosure that it had the key around three weeks after the attack. It is difficult to understand how and why the FBI was able so quickly to seize the key.


It is not the first time the feds have found a key piece to the investigation puzzle while investigating ransomware attacks. The government also managed to obtain the key to the crypto wallet used by the ransomware gangs to attack Colonial Pipeline in May. This allowed them to recover a large portion of the ransom they had paid. The operation that saw the Justice Department seize millions of crypto was not fully explained to the public.

One thing is certain: Business owners who were affected by the Kaseya attack don't like the delayed decryption. Joshua Justice, the owner of the Maryland IT company JustTech was quoted as saying that July was a month of misery.


People would call me and ask if my business was going to survive. I heard them cry. One man said to me, "Should I retire?" Should I let my employees go